Major Description of problem:
Recently during an audit on a user's cluster, it was discovered that
OLM's certificate generation functionality has a few minor shortcomings.
- The generated CA and server cert do not include a common name,
which causes some tooling to have trouble tracing the cert chain. - The generated CA and server cert include unnecessary key usages,
which means those certificates can be used for more than their
intended purposes.
How reproducible: Always
jlanford@redhat.com could you please double check what I've put below? QE is asking for a bug ticket for this fix (makes sense as it helps them verify everything is correct and gives us traceability)
Steps to Reproduce:
oc get secret -n openshift-operator-lifecycle-manager packageserver-service-cert -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
Actual results:
- Common Name not present in certificate data
- X509v3 extensions looks include:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Expected results:
- Common Name must be present in certificate
- X509v3 extensions should NOT include Digital Signature under Key Usage
- X509v3 extensions should NOT include Extended Key Usage (other than *TLS Web Server Authentication*)
